Hands-On Ethical Hacking

and Network Defense

Second Edition
Chapter 1
Ethical Hacking Overview
Objectives
After this lecture and completing the exercises, you
will be able to:
Describe the role of an ethical hacker
Describe what you can do legally as an ethical
hacker
Describe what you cant do as an ethical hacker
Hands-On Ethical Hacking and Network Defense, Second Edition 2
Introduction to Ethical Hacking
Ethical hackers
Hired by companies to perform penetration tests
Penetration test
Attempt to break into a companys network to find
the weakest link
Security test
More than a break in attempt; includes analyzing
companys security policy and procedures
Vulnerabilities are reported
Hands-On Ethical Hacking and Network Defense, Second Edition 3
The Role of Security and Penetration
Testers
Hackers
Access computer system or network without
authorization
Breaks the law; can go to prison
Crackers
Break into systems to steal or destroy data
U.S. Department of Justice calls both hackers
Ethical hacker
Performs most of the same activities with owners
permission
Hands-On Ethical Hacking and Network Defense, Second Edition 4
The Role of Security and Penetration
Testers (contd.)
Script kiddies or packet monkeys
Younger, inexperienced hackers who copy codes
from knowledgeable hackers
Programming languages used by experienced
penetration testers
Practical Extraction and Report Language (Perl)
C language (including Java, C#, C++ etc.)
Script
Set of instructions
Runs in sequence to perform tasks
Hands-On Ethical Hacking and Network Defense, Second Edition 5
The Role of Security and Penetration
Testers (contd.)
Tiger box
Collection of tools
Used for conducting vulnerability assessments and
attacks
E.g. Backtrack is a world-renowned Unix based OS
with many testing tools for conducting network
attacks
Hands-On Ethical Hacking and Network Defense, Second Edition 6
Penetration-Testing Methodologies
White box model
Tester is told about network topology and technology
Tester is permitted to interview IT personnel and
company employees
Makes testers job a little easier
Black box model
Staff does not know about the test
Tester is not given details about technologies used
Burden is on tester to find details
Tests security personnels ability to detect an attack
Hands-On Ethical Hacking and Network Defense, Second Edition 7
Hands-On Ethical Hacking and Network Defense, Second Edition 8
Figure 1-1 A sample floor plan
Penetration-Testing Methodologies
(contd.)
Gray box model
Hybrid of the white and black box models
Company gives tester partial information (e.g., OSs
are used, but no network diagrams)
Hands-On Ethical Hacking and Network Defense, Second Edition 9
What You Can Do Legally
Laws involving technology change as rapidly as
technology itself
Keep abreast of whats happening in your area
Find out what is legal for you locally
Be aware of what is allowed and what you should
not or cannot do
Laws vary from state to state and country to country
Hands-On Ethical Hacking and Network Defense, Second Edition 10
Laws of the Land
Some hacking tools on your computer might be
illegal
Contact local law enforcement agencies before
installing hacking tools
Laws are written to protect society
Written words are open to interpretation
Government is getting more serious about
cybercrime punishment
Hands-On Ethical Hacking and Network Defense, Second Edition 11
Is Port Scanning Legal?
Some governments do not see it as a violation
Not always the case
Be prudent before using penetration-testing tools
Read your ISPs Acceptable Use Policy
Internet Relay Chat (IRC) bot
Program that sends automatic responses to users
Gives the appearance of a person being present
Hands-On Ethical Hacking and Network Defense, Second Edition 12
Federal Laws
Federal computer crime laws are getting more
specific
Cybercrimes
Intellectual property issues
US Department of Justice - Computer hacking and
intellectual property (CHIP)
New government branch to address computer
hacking and intellectual property crimes
UK Computer Misuse Act (1990)
UK PCeU - Police Central e-crime Unit
Hands-On Ethical Hacking and Network Defense, Second Edition 13
What You Cannot Do Legally
Illegal actions:
Accessing a computer without permission
Destroying data without permission
Copying information without permission
Installing worms or viruses
Denying users access to network resources
Be careful your actions do not prevent clients
employees from doing their jobs
Hands-On Ethical Hacking and Network Defense, Second Edition 14
Get It in Writing
Using a contract is good business
May be useful in court
Books on working as an independent contractor
The Computer Consultants Guide by Janet Ruhl
Getting Started in Computer Consulting by Peter
Meyer
Internet can also be a helpful resource
Free modifiable templates
Have an attorney (solicitor) read your contract
before signing
Hands-On Ethical Hacking and Network Defense, Second Edition 15
Ethical Hacking in a Nutshell
Skills needed to be a security tester
Knowledge of network and computer technology
Ability to communicate with management and IT
personnel
An understanding of the laws in your location
Ability to use necessary tools
Hands-On Ethical Hacking and Network Defense, Second Edition 16
Summary
Companies hire ethical hackers to perform
penetration tests
Penetration tests discover vulnerabilities in a
network
Security tests are performed by a team of people
with varied skills
Penetration test models
White box model
Black box model
Gray box model
Hands-On Ethical Hacking and Network Defense, Second Edition 17
Summary (contd.)
Be aware
What you are legally allowed or not allowed to do
ISPs may have an acceptable use policy
May limit ability to use tools
Hands-On Ethical Hacking and Network Defense, Second Edition 18
Summary (contd.)
Laws should be understood before conducting a
security test
Get it in writing
Use a contract
Have an attorney read the contract
Understand tools available to conduct security tests
Learning how to use them should be a focused and
methodical process
Hands-On Ethical Hacking and Network Defense, Second Edition 19